Russian Researchers Uncover Sophisticated NSA Malware

Over the weekend Russian IT security vendor Kaspersky Lab released a report about a new family of malware dubbed "The Equation Family". The software appears, from Kaspersky's description, to be some of the most advanced malware ever seen. It is composed of several different pieces of software, which Kaspersky Lab reports work together and have been infecting computer users around the world for over a decade. It appears that specific techniques and exploits developed by the Equation Group were later used by the authors of Stuxnet, Flame, and Regin. The report alleges that the malware has significant commonalities with other programs that have been attributed to Western intelligence agencies; Reuters subsequently released an article about the report in which an anonymous former NSA employee claims that the malware was directly developed by the NSA.

Among the most interesting and advanced features of the malware is its ability to compromise and rewrite hard drive firmware. Reprogramming the hard drive itself in this way is a deeper level of compromise than infecting an operating system, and can let the malware re-install itself from a hidden sector of the hard drive even if the drive is securely wiped and reformatted and the OS is reinstalled from scratch. Conventional wisdom about reinstalling operating systems in response to suspected infections may therefore not be enough for the victims of attacks like Equation's.

Antivirus companies regularly try to improve their products by doing malware research—trying to find and analyze new malicious software in the wild. They are in a very good position to see the entire landscape of malicious software and attacks, which today increasingly includes government-sponsored malware. Some observers found it significant that Kaspersky—a Russian firm—was the only company to release a report about the Equation Group, Kaspersky's shorthand name for the anonymous authors of the malware. Many antivirus companies are based in, or have important business interests in, countries that develop government malware, such as the Five Eyes (the U.S., United Kingdom, Australia, New Zealand, and Canada), and these companies may come under pressure to conceal government malware. Having antivirus companies, security companies, and malware researchers in a variety of different jurisdictions is valuable in that they can collaborate on their research and resist this sort of pressure.

The hard drive firmware capabilities of the Equation Group malware and code names that are described in the report match up closely with NSA capabilities and code names previously disclosed in Der Spiegel. That lends credibility to the hypothesis that Equation Group is part of or affiliated with the NSA, which would mark one of the first times that programs or capabilities exposed by journalists were specifically found in the wild. This is a very exciting development; it will be interesting to see if researchers continue to succeed in publicly documenting samples of other nation-state malware and attack tools whose existence has been reported or conjectured.

The report also mentions that the Equation Group used several different 0-day exploits to spread their malware. Some of these exploits were later used by Stuxnet. One of the exploits used was originally used in the 2009 Aurora attack; it was later repurposed by the Equation Group to be used against government officials in Afghanistan. This raises some interesting questions—is the NSA stockpiling 0-day vulnerabilities? Is it doing any reporting of 0-days to the affected companies? How does NSA decide whether or for how long to stockpile such knowledge? EFF filed a lawsuit last year demanding that the NSA answer these questions.

Another important question was promptly raised in the press: given that the Equation Group's software can infect a broad range of hard drives, replacing their firmware with maliciously customized versions, did the hard drive companies collaborate with governments to develop this firmware? Based on the information we have now, it's hard to draw a reliable conclusion one way or the other. A Kaspersky researcher claimed that there is “no way that hard drive firmware could be reverse engineered using public information.” Yet at least two published projects from years past have demonstrated otherwise: a team of researchers in 2013 created a full-fledged hard drive firmware backdoor akin to that used by Equation Group, using only publicly available information and reverse engineering; and that same year an individual researcher achieved a comparable level of access to modify hard drive behavior, again using only reverse engineering and without any manufacturer assistance. These and other projects show it's quite possible to learn to tamper with the components that make up a computer, even without support from the manufacturer.

Seeing these attacks in the wild has spurred new anxiety about whether our hard drives and other parts of our computers could be compromised. (To be clear, the Kaspersky research does not suggest that the manufacturers tampered with the drives, but rather that software, once introduced onto a user's computer, can reprogram them.) What can the hard drive manufacturers do in order to assure users that their drives have not been compromised? Unfortunately, it's not entirely clear; there are a few solutions, but they generally require changing current hard drive designs, potentially in a ways that make them more expensive. What is clear is that hard drive manufacturers must bear the responsibility of assuring customers that their products can't be twisted into tools of the surveillance state.

The long-term problem here is deeper than just the Equation Group's wizardry. Your modern computer is made up of many little computers. Each of those computers can conceivably be infected with malicious software separately from the main computer, but you never see or interact with them directly, so nobody has given much thought to how to secure them, how to scan them for malicious code, or even how to do a forensic analysis on them. Unfortunately, infecting any one of them can give total control over the main computer or the ability to spy on or break some of its activities. It's a problem that has been demonstrated publicly by researchers over and over again. Security researcher Halvar Flake has given an excellent talk demonstrating some of the scope of this problem.

This attack vector is serious; the solutions are daunting. Hardware manufacturers must ensure that their firmware is open source, can be audited for security, can be updated and replaced by consumers. We must also create ways for average computer users to verify that the firmware on their devices is the firmware that they expected to be there.

We are glad to have an even better understanding of the techniques and tools used by the surveillance state. We still need more transparency from the US Government about the use of 0-day vulnerabilities in intelligence gathering. This report once again demonstrates how important it is that all companies take concrete steps to protect consumer privacy and prove that they are not exposing their customers to surveillance. Some hard drive vendors, asked for comment by the press, pronounced their products completely safe and immune to tampering—even as Kaspersky showed that those same products were actively being exploited. We hope those vendors will reconsider that overconfidence and get to work improving the safety of their products.

Related Updates

EFF is in it for the long run, especially in the important, hard fights for your rights. One of the longest running fights in online civil liberties is over your right to have a private conversation over a digital network. Whether it’s for our intimate relationships, our healthcare, our associations...

EFF has presented its full evidentiary case that the five ordinary Americans who are plaintiffs in Jewel v. NSA were among the hundreds of millions of nonsuspect Americans whose communications and communications records have been touched by the government’s mass surveillance regimes. This presentation includes a new...

In the United States, a secret federal surveillance court approves some of the government’s most enormous, opaque spying programs. It is near-impossible for the public to learn details about these programs, but, as it turns out, even the court has trouble, too. According to new opinions obtained by EFF last...

UPDATE September 14, 2018: This blog has been updated at the bottom to include information about two Senators’ reactions to the NSA’s call detail record deletion. In late June, the NSA announced a magic trick—hundreds of millions of collected call records would disappear. Its lovely assistant? Straight from the agency’s...

Agron Hasbajrami is a U.S. resident who was arrested at JFK airport in 2011 on his way to Pakistan and charged with providing material support to terrorists. Although the government used Section 702, its warrantless Internet surveillance authority, to build its case against Hasbajrami, it withheld this fact from his...

Two reporters recently identified eight AT&T locations in the United States—towering, multi-story buildings—where NSA surveillance occurs on the backbone of the Internet. Their article showed how the agency taps into cables, routers, and switches that handle vast quantities of Internet traffic around the world. Published by The Intercept, the...

This week, 24 civil liberties organizations, including EFF and the ACLU, urged Director of National Intelligence Daniel Coats to report—as required by law—statistics that could help clear up just how many individuals are burdened by broad NSA surveillance of domestic telephone records. These records show who is calling whom and...

Lt. Gen. Paul Nakasone, the new nominee to direct the NSA, faced questions Thursday from the Senate Select Committee on Intelligence about how he would lead the spy agency. One committee member, Senator Ron Wyden (D-OR), asked the nominee if he and his agency could avoid the mistakes of...